Cloud-Based Routing™ Blog

Cloud Based Load Balancers – The Hidden Dangers of SSL Termination

For the last two decades, network load balancers have been a key infrastructure component for maintaining high availability for network based services.

Load Balancing Vs. Content Delivery Networks

Unlike Content Delivery Networks (CDNs) such as Akamai or Cloudflare that fetch your static data and serve it anycast from many locations, load balancers provide a service address, also known as a VIP or Virtual IP address that serves as the destination that a client accesses for a given network service. The load balancer then chooses the destination host from a pre-configured list and splices a network connection between the consumer and the service. The load balancer can provide intelligence as to which back end servers are healthy or predict which will provide the best response times.

Port 443 Load Balancing

Load balancing SSL protected services, which are by definition, a secure channel between your client and the authoritative server, complicates load balancing. Classic network load balancing can choose a backend authoritative server and can pass the SSL traffic on to the backend server for SSL negotiation of a secure channel end-to-end. Unfortunately, once a backend server is selected, all SSL traffic for that session must terminate on that server. If the backend server fails or is taken out of service, then any established sessions will fail and the clients will be able to reconnect to the VIP address and be passed through to the other active backend servers.

SSL Load Balancing

To address this limitation, SSL termination was moved from the back end servers to the VIP of the load balancer. For the service provider, this change brought significant benefits. Now that the load balancer had the SSL private key, it was the destination of the SSL channel. The load balancer was able to decrypt your data, look further into your request and request content from any configured backend server to complete your request. Because of the SSL termination, the load balancer was the point in which many organizations injected IDS/IPS inspection. Once the request was inspected, it would be either sent to the backend servers in cleartext, or the load balancer would become an SSL client to the backend server with the backend server using a self-signed certificate.

Unknown to the end user, that green lock in the top of your browser now provides a false sense of security as it no longer signifies that you have a secure channel to the backend host, but now only to the load balancer. SSL Offloading is always a man-in-the-middle attack. The argument for allowing this risky configuration was that the backend identity risks could be mitigated on a tightly controlled private network.

With Cloud Based Load Balancers, the backend network may pose a MITM risk

As load balancers become the next IaaS component to move into the cloud, the backend communication may wind up travelling over the Internet, additional assurances must be put into place to protect against an untrusted network. The backend servers must use valid SSL certificates and the cloud based load balancers must be configured to validate the certificates. ACLs on the backend servers provide protections against direct attacks against the origin content. While ACLs can protect against network vulnerabilities that may put the source content at risk, ALCs cannot protect against man-in-the-middle attacks and cannot verify the identity of the backend host providing the content.

Moving applications or even just infrastructure components to the cloud can yield capabilities beyond what your on-premises datacenter can provide. The cloud offers unprecedented deployment speed for new applications. Complex, on-premises applications may become less secure if private networks are replaced by the open Internet.

We have been implementing complex load-balanced applications for nearly two decades. If you are considering moving a complex application or a component to the cloud and are concerned about the impact to the overall security of your environment, give us a call.